The Missing Cybersecurity Discussion

I’ve been following the coverage of the Wikileaks release of the DNC’s hacked emails, and I’m more interested in what isn’t being talked about. Was it embarrassing for the DNC? Well sure, just like it would be embarrassing for any of us to have our conversations made public. Yes, it revealed strategies and ideas that were ethically questionable, but some of that is politics as usual, sad to say.

What neither the media nor the politicians have done is take advantage of the leak to put cybersecurity front and center as a national discussion. Yes, Donald Trump’s comments encouraging Russia to “find” Hillary Clinton’s missing email shifted the conversation to the concerns over cyber espionage, but in a very singular way.

We’re missing the opportunity to discuss the bigger picture of this hack and its Wikileaks release on a very public stage: Cybersecurity is a serious threat to our national, corporate and personal well-being, and not just because some emails and voice mails were made public. What about all of the donors whose personal and financial information was included in that release – folks who, according to ABC News, have yet to be alerted. According to the news site, the DNC kept a spreadsheet called “Big Spreadsheet of All Things”:

… which appears to list data about every check written to the party, Hillary Clinton and President Obama going back to 2013. The file includes email addresses, phone numbers, and in some cases additional personal information not publicly available on FEC reports. Under FEC rules, contributors are required to reveal the amounts of their gifts and provide a mailing address, but not email or phone contact information.

This attack is personal to a lot of people and organizations, so where are the conversations that cyberattacks have very real consequences?

Cyberattacks aren’t one-time events, either, and as Mark McArdle, CTO at eSentire, a leader in managed cyber threat detection and response services, told me in an email comment, that malware is repurposed and reused once it is used successfully, and as time goes on, it gets more difficult to identify the actual attacker. He explained it this way:

Consider you have an attacker in China, who identifies a key target in the United States. The attacker in China won’t use the same tools they’ve used before -- they won’t want to provide any breadcrumbs to help build an identifiable profile. So, the attacker decides to start from scratch. In doing so, they can leverage tools (malware) already seen… they can mimic them, tweak them as they like to create something new that ultimately cloaks their identity. Once the tool is ready, the attacker deploys it to their endpoint target in the U.S. Once they successfully access the network, they need to exfiltrate data, but they won’t exfiltrate it to back to China -- that’d be a clue to their identity. Instead, the attacker will pick a nondescript host, bouncing the data through compromised servers, to cover their trail.

In other words, it can be very difficult, if not impossible, to detect the attacker’s identity without a serious forensic study, so immediate accusations become a slippery slope and can create unintentional tensions between nation-states. We’re so certain the DNC attack was by Russia, and there is a very good chance it was – but what if it wasn’t?

We’re witnessing how cybersecurity concerns can influence our politics and our governance. As Chenxi Wang, chief strategy officer for Twistlock, told me in an email comment, we’re entering a new cyber reality, where attacks and our response to them are entrenched in every facet of life – technology, economics, health, and now politics:

Going forward, we really have to be much more vigilant than we have been in the past. Because now, it’s not just individual companies or data belonging to tens of thousands of users that are at stake. Instead, it could be an entire nation’s political future that hangs in the balance, entailing significant consequences on a global scale that last longer and reach farther than they ever have before.

Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba